Date: Wed, 17 Sep 2014 10:14:33 -0400
From: Alex Gaynor <alex.gaynor@...il.com>
To: oss-security@...ts.openwall.com
Subject: Twisted Security Issue
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello all,
The twisted security project has identified, fixed, and released a
release fixing a security issue, I would like a CVE assigned:
Title: trustRoot not respected in HTTP client
Reporter: Alex Gaynor and David Reid (Rackspace)
Products: Twisted (14.0 only).
Description:
When specifying the trustRoot (CA store) for the HTTP client, Twisted
did not respect the user's specification, and always used the default
of the platform trust. This means that users attempting to use this
feature to implement certificate pinning, or otherwise restrict the
trust CAs would still have accepted any certificate signed by a CA.
Twisted 14.0.1 has been issued to resolve this issue; (Distributors
should note that this release has failing tests, and that a 14.0.2
release will be issued tomorrow, this does not effect the fix, only
the tests).
Alex
- --
"I disapprove of what you say, but I will defend to the death your
right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v0.6.1-dev
Comment: http://openpgpjs.org
wsFcBAEBCAAQBQJUGZdCCRASX1xn3+lAhAAAR58P/j7yagn9+/+IAflzeS2v
hNRBhAUWsFpbwor7FvppXMTPjAFsMP1soBn1RQygRr3uKM4my1myX7UQl2Gj
qYtiZpcsvdQO6X5lZwU3Zbl0q7eHXGdwZMO0/xw5TUPTMyATcOk/rgiAm8Z0
BT0zV0lYU3oMB1E3ee/xuOkCpSlPq8BZfsFcVNi/uHzWS9Qgt5RuujIEEQfv
V+rTU8bmdGMC98Rsz0vfJJ93acpkuC3iKejz4SzMJdrmq/mSLhr/sgGZFanl
20KwHEjmL41NvoJlwHJ2fL8y4aVusXsuUFpmxuEq/cAaoREi7N8VFHzhS1+U
4cT0rqjW89wGZWhK6jjI31acKZ8s3Irkk6UeQ1XfSxgFh8UTCMCBWVCM1Cwe
pfXEXcBduO4xNAiKVFtHU/RHr5hNjGop2bCOtwP6+yYBp1SODb8N8vTxhvOx
zKu8tMGb0hWIY6O/TbW/oki/t+eonYBnsp5ytELUz7IqQYZu7xRjgH19uXKj
XDG0vwq3lfxwmH0ILVxwR3l+vTBWc8JxQAz3X+mT8OmHHeXFWM/ajwcooug1
9umK7heXrLnLaPdY99ICZp0xXwHo9fIn5pZT8gxIkUF8L8OWeD6uSleeiCBu
nbsPCQjg4fIcmjJcpJIvqukSF4tumIPxUJDi1nk/37I02dF8i1IQnzmjHT3Y
HrSs
=GOlp
-----END PGP SIGNATURE-----